Researchers at F-Secure claim they have found a series of weaknesses in the firmware update process of QNAP’s TVS-663 NAS device, such as not encrypting the update requests. These security shortcomings create a means for hackers to seize administrative control of vulnerable devices, they claim.

Harry Sintonen, senior security consultant at F-Secure, developed a proof-of-concept exploit to confirm the vulnerabilities. “Many of these types of vulnerabilities are not severe on their own. But attackers able to put them together can cause a massive compromise,” according to Sintonen.

Sintonen’s PoC begins when the device sends unencrypted requests for firmware updates back to the company. This lack of encryption allows hackers to run man-in-the-middle attacks. Sintonen says he took advantage of this weakness by serving the device with an exploit disguised as a firmware update.

While the fake update is never actually installed, an exploit uses a flaw in the process to yield a full system compromise, he claims. The one major limitation is that hackers would need to be in the position to intercept the update process before they can manipulate it, he added.

That would be enough to frustrate remote hackers – though not miscreants already logged onto the same network as their intended target, he explained.

F-Secure estimates that over 1.4 million devices running vulnerable firmware could be vulnerable. The research was presented at the Disobey conference in Helsinki, Finland last week.